CVE-2022-43434
Description
Jenkins NeuVector Vulnerability Scanner Plugin disables Content-Security-Policy for downloaded artifacts, enabling XSS attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins NeuVector Vulnerability Scanner Plugin disables Content-Security-Policy for downloaded artifacts, enabling XSS attacks.
Vulnerability
Overview
CVE-2022-43434 affects the Jenkins NeuVector Vulnerability Scanner Plugin (versions 1.20 and earlier). The plugin programmatically disables Content-Security-Policy (CSP) protection for all user-generated content that Jenkins offers for download, such as workspace files and archived artifacts [1][4]. This occurs because the plugin explicitly sets the CSP header to a permissive value, removing the default protections that Jenkins applies to prevent cross-site scripting (XSS) attacks [1].
Exploitation
Conditions
An attacker with the ability to upload or inject malicious content into a Jenkins workspace or archived artifact (e.g., through a build step or by exploiting another vulnerability) can craft a file that, when downloaded by a user, executes arbitrary JavaScript in the context of the Jenkins domain. No authentication beyond the ability to store content is required if the attacker can otherwise place files accessible via download [2]. The disabled CSP means that even if the downloaded file is served with a potentially dangerous content type, the browser will not enforce restrictions on inline scripts or resource loading.
Impact
Successful exploitation can lead to XSS attacks, where attackers can steal session cookies, perform actions on behalf of the victim, or deface pages. The impact is limited to users who download the malicious files from Jenkins, but given the typical use of Jenkins for storing build artifacts, this could affect many users within an organization. The vulnerability is rated as medium severity in the Jenkins advisory [1].
Mitigation
Status
As of the advisory publication date (October 19, 2022), no fixed version of the NeuVector Vulnerability Scanner Plugin has been released [1][2]. Users are advised to either disable the plugin if it is not essential or restrict access to workspace downloads and archived artifacts to trusted users only. The plugin’s GitHub repository [3] does not indicate a patch, suggesting the plugin may be unmaintained or deprecated.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:neuvector-vulnerability-scannerMaven | < 1.22 | 1.22 |
Affected products
2- Range: unspecified
Patches
1e0a72373ef1cfix Security-2865 / CVE-2022-43434
2 files changed · +4 −3
CHANGELOG.md+4 −0 modified@@ -68,6 +68,10 @@ This is a Jenkins Plugin to do security vulnerabilities scan on registries and l See [GitHub releases](https://github.com/jenkinsci/neuvector-vulnerability-scanner-plugin/releases) +1.22 (Oct 28, 2022) +----- +* Fix Security-2865 / CVE-2022-43434 + 1.21 (Oct 25, 2022) ----- * Fix Security-2865 / CVE-2022-43434
src/main/java/io/jenkins/plugins/neuvector/NeuVectorBuilder.java+0 −3 modified@@ -206,9 +206,6 @@ public void perform(@Nonnull Run<?, ?> run, @Nonnull FilePath workspace, @Nonnul // init the logger this.logger = new Log(listener.getLogger()); - // config the Jenkins CSP to allow the main panel to show html file - System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'none'; style-src 'self'; img-src 'self';"); - // copy styles.css to workspace File cssFile; final EnvVars env = run.getEnvironment(listener);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-wmfh-h3vm-rcxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43434ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/neuvector-vulnerability-scanner-plugin/commit/e0a72373ef1c20c41b8eb086883a7090cf04809cghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.